Patient info left at bus stop in data blunder by Hartlepool and Stockton hospital trust

Mark Payne

A HOSPITAL trust has been rapped by a watchdog after a file containing highly-sensitive information about a patient was left at a bus stop.

It was just one of a series of personal data blunders by North Tees and Hartlepool NHS Foundation Trust over the last year.

The University Hospital of North Tees in Stockton.

Other incidents resulted in patients’ information being lost or disclosed without authorisation including letters, notes and reports being sent to the wrong people.

The Trust has apologised saying it takes the breaches extremely seriously and is working hard to prevent it happening again.

The UK’s independent authority on upholding information rights, the Information Commissioner’s Office (ICO), which uncovered the failures during an investigation, said the Trust was “careless” in its handling of “highly sensitive” personal information.

Investigations carried out by the ICO revealed that at least one department in the hospital trust had been knowingly breaching the organisation’s data protection policy on a regular basis, saying they found the rules around secure transportation of documents impractical.

The careless way this highly sensitive personal information has been handled is embarrassing.

Information Commissioner’s Office

The Trust, which runs the University Hospital of Hartlepool and University Hospital of North Tees in Stockton, has been given three months to review its data protection policies.

Steve Eckersley, the ICO’s head of enforcement, said: “The careless way this highly sensitive personal information has been handled is embarrassing for the Trust involved.

“Even though the organisation had over-arching policies in place, they obviously weren’t being followed and didn’t seem to be suitable for every department.

“It’s important that every organisation not only has the correct policies and procedures in place but also that those policies are followed.

Lynne Hodgson.

“That includes providing the right training for staff so everyone can take their data protection responsibilities seriously.

“An action plan was put in place after earlier breaches, but clearly parts of the plan have been ineffective and after consideration we decided to issue an enforcement notice to improve compliance and to protect individuals.”

The ICO decided to take enforcement action after considering the likelihood of distress caused by the data breaches and against people’s right to privacy under the Human Rights Act.

David Smith, deputy information commissioner, said a report: “The individuals whose personal data was put at risk of unauthorised access and further dissemination would be likely to have suffered worry and anxiety on account of the risk that their data would come into the possession of unauthorised individuals.

“While there is no evidence that damage has been caused there was a significant risk that it could have been.”

The ICO carried out its investigation after being told of a number of separate incidents involving the loss or unauthorised disclosure of personal data during 2014 and early this year.

The most serious was the discovery of a folder containing highly sensitive personal information that was found at a bus stop by a member of the public.

The ICO’s report added one internal department had been breaching the trust’s own data protection policies on ongoing basis because “they found the rules around secure transportation of documents impractical for the daily tasks they were required to carry out.”

The ICO said the breach raised questions about whether the Trust’s policy was fit for purpose.

The watchdog said it also found several address errors leading to information being sent to the wrong place due to the Trust typing over previous patient letters – something that was included in an action plan after earlier breaches.

Mr Smith added: “The current incidents would indicate that to date, some of the implemented actions have been ineffective.

“In cases where the controller [Trust] has ultimately located lost or misdirected documents, the security and appropriateness of retrieval solutions has also raised concerns.”

Lynne Hodgson, director of finance, information and technology at the hospital trust, said: “We take these incidents extremely seriously and we are very sorry to those individuals whose confidentiality we may have breached.

“We are strengthening our policies and procedures and carrying out further training and awareness-raising to ensure all staff understand the importance of protecting people’s personal information.

“We are confident that these actions will, as far as humanly possible, prevent such incidents happening again.”